Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
  • G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/46—Multiprogramming arrangements
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/46—Multiprogramming arrangements
  • G06F9/54—Interprogram communication
  • G06F9/544—Buffers; Shared memory; Pipes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/16—Implementing security features at a particular protocol layer
  • H04L63/168—Implementing security features at a particular protocol layer above the transport layer
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/12—Protocol engines
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
  • H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
  • H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
  • H04L69/321—Interlayer communication protocols or service data unit [SDU] definitions; Interfaces between layers
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/20—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
  • G06F11/202—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
  • G06F11/2043—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant where the redundant components share a common memory address space
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L12/00—Data switching networks
  • H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
  • H04L12/46—Interconnection of networks
  • H04L12/4604—LAN interconnection over a backbone network, e.g. Internet, Frame Relay
  • H04L12/462—LAN interconnection over a bridge based backbone
  • H04L12/4625—Single bridge functionality, e.g. connection of two networks over a single bridge

Definitions

• the present invention relates to a gateway server provided with a micronucleus. It also relates to a method of data transmission between networks via such a gateway server.
• OSI Open Systems Interconnection
• gateway server 17 also called proxy or "proxy" in English, this representation can be simply performed in three levels:
• a first level of control comprises a kernel that manages the operations performed by the applications of the operating system, in particular by allocating resources to these applications and by controlling the communications between these resources.
• the kernel is typically a monolithic kernel, although a modular approach can be chosen to specifically manage each resource offered by the operating system.
• Such a monolithic kernel includes low-level software, such as scheduler, process manager, memory manager, as well as device drivers and some high-level services such as file systems and cryptographic algorithms. filtering.
• a second communication level 14 comprises the software applications, in particular forming the protocol stacks required to transmit or receive data via a telecommunication network using a communication protocol.
• each layer resolves a number of data transmission problems, and provides well defined services to the upper layers of the first level 16. These high layers are closer to the user and handle more data. abstract, using the services of the lower layers that format these data so that they can be emitted on a physical medium.
• a third media level performing the interface of the server 17 with an external network 10 or 11.
• This level 12 is typically in accordance with the Ethernet protocol implementing a physical layer and a software sub-layer, namely the Media Access Control layer (MAC). ) of the OSI model.
• MAC Media Access Control layer
• Such a gateway 17 may have a filtering function intended to ensure the transmission of data 13 received, for example, from an insecure network 10 such as the Internet network intended for a sensitive network 1 1. In this case, these data 13 are processed:
• the communication level 14 comprising a stack of TCP / IP protocols, for "Transmission Control Protocol” and “Internet Protocol” in English, in order to generate data, transmitted according to transport protocols, conform to application protocols, and finally
• level 16 of control implementing high level filtering services making it possible, for example, to decrypt the data before transmission to the sensitive network 1.
• the present invention results from the observation that such a server, and the method required for its implementation, have drawbacks. In particular, they have weaknesses specific to the complexity of a monolithic kernel and the architecture of a computer system that does not allow a formal verification of the vulnerability of a gateway server.
• such a malfunction is represented at communication level 14, for example within the layer specific to the TCP / IP stack.
• this malfunction 15 transmits data from the network 10 to the network 1 1 without the prior transmission of the latter at the control level 16.
• the present invention relates to a gateway server provided with a first subsystem comprising a media level, a communication level and a control level, this server also comprising a micronucleus and an IPC controller managing communications between the server resources allocated to the first subsystem, characterized in that it comprises:
• a second subsystem comprising a second media level, a second communication level and a second control level such that the micronucleus and the IPC controller also manages communications between the server resources allocated to this second subsystem , and
• a read and write shared memory established under control of the micronucleus and the IPC controller, between the control level of the first subsystem and the control level of the second subsystem.
• Such a gateway server addresses the problem of the absence of transmission control functions due to malfunctions, whether caused or accidental, the media level and / or the communication level of a gateway server.
• a server according to the invention thus makes it possible to protect a sensitive network from external aggression, whether voluntary or not. In this way it ensures a security policy between networks of different sensitivities, for example, between a non-secure network and a sensitive network.
• each subsystem comprises means for coding information, received in a request according to a network communication protocol, into a bit pattern conforming to a communication protocol between the control levels of the first subsystem and the subsystem. second subsystem.
• each subsystem may comprise means for coding the information into a binary structure after processing the latter in the communication level and then in the control level of this subsystem.
• the server comprises means for identifying, depending on the nature of the request, the characteristic data of the request to be coded in the binary structure.
• the server comprises means for associating the received request with a predefined query in a limited list of authorized requests.
• the micronucleus comprises means for associating each application implemented by a subsystem with the control of a resource of the server.
• the server includes means for limiting communications so that neither the media level nor the level of communication of a subsystem can not communicate directly with the media level or with the communication level of the other subsystem without the intermediary control levels of the subsystems.
• the server comprises means for analyzing the syntax and the validity of the protocols filtered by each layer used in the server.
• the invention also relates to a control method for a gateway server provided with a first subsystem comprising a media level, a communication level and a control level, this server also comprising a micronucleus and an IPC controller managing communications between the server resources allocated to the first subsystem, characterized in that, the server also having a second subsystem, comprising a second media level, a second communication level and a second control level such as that the microkernel and the controller of IPC also manages communications between the resources of the server allocated to this second subsystem, a reading and writing shared memory, established under control of the micronucleus, is used to transmit requests between the level control of the first subsystem and the control level of the second subsystem using a server conforming to one of the embodiments preceding.
• the invention also relates to a computer program product comprising program code instructions recorded on a computer readable medium for implementing a method according to the invention when said program is running on a computer.
• FIG. 1, already described, is a schematic view of the operation of a gateway server according to the prior art
• FIG. 2 is a schematic view of the operation of a gateway server according to the invention
• - Figure 3 shows the processing of an HTTP request by a server according to the invention.
• a gateway server 27 comprises two media levels 22 and 32, two communication levels 24 and 34 and two control levels 26 and 36.
• micronucleus 38 is implemented to perform some basic functions including managing communications between server resources, including IPC message transfer for "Inter Process Communication" in English.
• a second generation micronucleus includes a clock driver and a scheduler such that such a micronucleus comprises less than 20,000 lines of code.
• a monolithic kernel includes millions of lines of code with a proportional risk of bugs and security flaws. It can hardly be verified as meeting the specifications of current code verifiers and formal proof systems.
• monolithic cores have poor isolation properties.
• user processes can break isolation in different ways with tubes, files, shared memory, and so on. The management of inter-process communications is unreliable.
• micronuclei solves the problem of a fault within the control level.
• These micronuclei have a size that allows them to be easily maintained and formally verified, for example, to certify them at a high level such as level 7 of the international EAL standard for "Evaluation Assurance Level" in English.
• a gateway server provided with such a micronucleus can respond to the complexity and vulnerability of monolithic cores. In terms of security, such a system benefits from the strength of the micronucleus.
• server security also depends on the strength of IPC communications as these are a potential means of transmitting dangerous data.
• IPC communications for reasons of efficiency, the management of communications security is traditionally left at the server level, the micronucleus simply transmitting the messages.
• micronucleus 38 includes an IPC controller providing a communication rights mechanism so that two applications can communicate with each other only if the controller recognizes that these applications have the appropriate rights.
• the micronucleus considers each application, for example services or drivers, as the subject of the security criteria that are provided to it beforehand.
• the micronucleus 38 can allocate system resources to the applications it manages according to a rule set at its start while its IPC controller 25 allocates or denies communication rights between these applications.
• the micronucleus 38 identifies, on the one hand, resources to allocate - such as memory, inputs and outputs, privileges for management levels of - and on the other hand communications waiting to authorization of the IPC controller 25.
• the IPC controller 25 determines from this list whether the requesting application has a right of communication with the destination application.
• the IPC controller 25 thus performs the IPC controller function to, for example, issue communication rights to particular applications on demand. Likewise, this IPC controller can detect attempts to violate security criteria and provide an audit on the potential for violation.
• the micronucleus 38 also has the function of maintaining for each application the previously authorized communications.
• Such a structure allows a precise control over the use of the resources while, simultaneously, each application is associated with the control of a resource, that is to say of a component or hardware mechanism, which reinforces the control for block the spread of an attack or bug.
• the data processing therefore uses two subsystems, namely:
• a secure subsystem formed by the media level 32, the communication level 34 and the control level 36 connected to the sensitive network 21, for example an avionics network, a defense intranet and / or a node central communication.
• each subsystem manages a data flow, for example at its network interface or protocol stack, by using its own physical resources that are isolated from the other subsystem, except between their respective subsystems. control as described later.
• the micronucleus 38 and its IPC controller 25 authorize communications of the level 22, respectively 32, media with the level 24, respectively 34, of communication, the latter level being able to communicate only with the level of communication. control 26, respectively 36.
• an attack or bug from the network 20 succeeds in infiltrating through a fault in one of the layers of the media level and / or the communication level 24, for example in the application of a pilot and / or the protocol stack, data can not be transmitted to the sensitive network 21 without their processing by the level 26 and 36 control.
• the server architecture allows deep filtering of the network, this filtering using an analysis of the syntax and validity of the protocols filtered by each layer of the server, for example: Ethernet, IP, TCP, level application.
• a request received by the unsecured subsystem is transformed, during its progressive processing by the communication level 24 and then by the control level 26, with a request in a simple clearly defined bit structure.
• FIG. 3 illustrates the decomposition of an HTTP protocol request into binary data encoding the information transmitted by this HTTP instruction.
• this data includes a "Get” statement, a URL address, the version of the HTTP protocol used, and the file formats taken into account by browser or browser software.
• This binary data is then transmitted to the control level of the secure subsystem via shared memory 29 between the two subsystems.
• a limitatively defined protocol is used.
• Such a protocol defines the set of requests that can be issued by the control level 26 of the insecure network, so that the data fields required for these requests can, on the one hand, be predetermined and on the other hand , be filled with binary data encoding the information identified in the received request.
• the requests transmitted by the unsecured network 20 via the gateway server 27 are processed by the non-secure subsystem to extract from the latter data characteristic of the requests, these characteristic data being transmitted to the secure subsystem via the level of control 26 of this unsecured subsystem.
• the secure subsystem rewrites the request according to its communication level 34, for example according to an HTTP protocol, based on the previously extracted characteristic data. Subsequently, this request is transmitted via the communication level 32 to the recipient server which can then be validly and surely forced.
• Such formatting of the data is shown in Fig. 3 from the previously obtained binary data from an HTTP request.
• the response of the destination server is received by the media level 32, then 34 of communication to reach the level 36 control.
• This control level 36 can then transmit the binary data, obtained from the response, through the shared memory 29 so that the latter transmits it to the applicant via the levels 26, 24 and 22 of the unsecured subsystem.
• a gateway server is not intended to block bugs and / or attacks but to limit their consequences on the sensitive network since the set of requests sent in the sensitive network by this server are queries validated by their rewriting, these validated requests do not correspond exactly to the initial request. The security of the gateway is thus ensured by the architecture of the server.
• each subsystem acts as an airlock that can communicate with the other subsystem only through a memory in which binary data encoding the identified information is stored in a request received at the input of a subsystem.
• subsystems in predefined fields. In this way, the subsystems communicate only through their level of control, particularly reliable by the presence of a micronucleus, and by means of data whose scope is limited to the predefined field.
• the present invention is capable of many variants.
• the description given below of the invention has a micronucleus 38 comprising the IPC controller 25 but, depending on the variants and criteria used to define a micronucleus, this IPC controller 25 can be located outside micronucleus 38.

Applications Claiming Priority (2)

Publications (3)

Family

ID=41119843

Family Applications (1)

Country Status (8)

Families Citing this family (3)

Family Cites Families (25)

• 2008
  • 2008-12-30 FR FR0859143A patent/FR2940695B1/fr not_active Expired - Fee Related
• 2009
  • 2009-12-23 CA CA2747375A patent/CA2747375C/fr active Active
  • 2009-12-23 AU AU2009334568A patent/AU2009334568A1/en not_active Abandoned
  • 2009-12-23 ES ES09806106T patent/ES2744525T3/es active Active
  • 2009-12-23 BR BRPI0923742-9A patent/BRPI0923742B1/pt active IP Right Grant
  • 2009-12-23 EP EP09806106.2A patent/EP2380328B8/de active Active
  • 2009-12-23 US US13/141,816 patent/US9282079B2/en active Active
  • 2009-12-23 WO PCT/FR2009/052687 patent/WO2010076523A1/fr active Application Filing
• 2016
  • 2016-06-01 AU AU2016203662A patent/AU2016203662A1/en not_active Abandoned
• 2018
  • 2018-07-26 AU AU2018208696A patent/AU2018208696B2/en active Active

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events